is it everything in your profile or just your saved browser passwords? What browser are you using?
–
Nick KavadiasOct 19 '09 at 13:23

Honestly, if I was that paranoid about domain admins changing my password and logging in I wouldn't be saving passwords in my browser (or any other local cache for that matter).
–
squillmanOct 19 '09 at 18:09

efs is controlled by your domain account, so the admin can reset this too, right?
–
Nick KavadiasOct 19 '09 at 13:22

3

A DRA (Data Recovery Agent) was required in a Windows 2000 domain, and by definition the DRA could recover any files encrypted using EFS. Windows Server 2003 does not require a DRA. Also, the user's private EFS key is encrypted using a hash of their username and password, so admins can reset it but never read it. en.wikipedia.org/wiki/Encrypting_File_System
–
NicOct 19 '09 at 15:54

1

That same KB also points out that a password reset will also result in losing access to browser (IE) passwords.
–
ZoredacheOct 22 '09 at 4:13

If you are using an alternate browser then you will probably need to look at how that browser protects the data. For example in firefox you can set a master password.

Whole-disk encryption is probably the most effective option to protect locally stored data.

If you don't trust your fellow administrators and are worried about them stealing you password I would suggest that you need to make sure there are no keyloggers. It would be much easier for them to simply load up a keylogger. With a hardware keylogger there is pretty much no way you could detect them stealing your passwords.

While I'd generally agree with the comments that if you can't trust your Domain Admins there is something that needs to be fixed in your environment I can see some good arguments for providing an additional layer of access control under some circumstances.

In any case even if you are just being personally paranoid I would recommend that you check to see if your system has a built in Trusted Platform Module and if the vendor provides drivers and a security suite for it. Pretty much all business class PC's now have a reasonably capable TPM that will provide secure credential storage amongst other things. With a decent security suite to go with it, that will give you [A] a defence against rogue admins and [B] the ability to withstand a domain password reset (unlike EFS). Lenovo have a nice write up here on their Client Security Suite that leverages the built in TPM on Thinkpads to provide a hardware secured credential store, and it uses that credential store to protect the keys to a password manager and an encrypted private disk. If you install this without Active Directory integration you can then use their Browser Security mechanisms or simply run a portable browser install from the protected disk and you will have the additional security layer you want.

For the particular example (saved passwords in a browser) I would recommend using the master password provided by Firefox. It encrypts the password cache.

In KDE (and Gnome) there are tools like Wallet, which also provide a secure storage for credentials (e.g. for browser, mail app, chat client, etc) using a separate password. I believe something like this is available for Windows, too.

Another way would be to encrypt your home directory with TrueCrypt using a container file which contains your profile and documents.

Another option for saving your password is using this UPEK fingerprint reader to remember them. It's not free but it's pretty cheap. You'll need to authenticate with your finger every time you want it to log you in to your saved websites. I've been using it for a couple months now without issues.

Keep in mind, fingerprint readers are not impossible to hack, but it would stop the casual hacker.